1

I have been using svn for past few months (with default authentication rules) and only recently decided I wanted to add a bit more control over the repository authentication. I have been looking through this book (http://svnbook.red-bean.com/en/1.4/svn-book.html#svn.serverconfig.pathbasedauthz), and I thought I understood what I was doing. So, I have started configuring the repo. However, I seem to be having problems authenticating users.

I have a server at workserver.com and the repo is in the directory /home/repoAdminUser/svnroot/ (that is in the home-directory of a user because I do not have root-access to workserver.com). I have changed the configuration files as follows:

`/home/repoAdminUser/svnroot/conf/svnserve.conf`:
anon-access = none
password-db = passwd
authz-db = authz

`/home/repoAdminUser/svnroot/conf/passwd`:
[users]
admin1=pass1
admin2=pass2
otheruser1=pass3

Now, I want to add the authority such that all admin-users will have read/write ability everywhere and other users will have restricted read-only access to specific trunks. So, I tried the following

`/home/repoAdminUser/svnroot/conf/authz`:
[groups]
admins=admin1,admin2
other1=otheruser1,otheruser2
#etc ...

[/]
@admins=rw

[/project1/trunk]
@other1=r

then, when I try to check out the directories with either:

svn co --username admin1 --password pass1 svn+ssh://workserver.com/home/repoAdminUser/svnroot/anyproject/directory

or

svn co --username otheruser1 --password pass3 svn+ssh://workserver.com/home/repoAdminUser/svnroot/project1/trunk

I receive the "svn: Authorization Failed" error message. In fact, I found that the only way to get anything to checkout is give the wildcard-user (everyone) access the a particular directory:

 [/any-directory]
 * = r

this will then allow any-user (anonymous or authenticated) the ability to checkout the directory. What am I doing wrong? And, how can I fix this so that I have the desired structure I mentioned earlier. Thank you for any help you can give!

scicalculator
  • 111
  • 2

2 Answers2

0

I'm not sure but could you please try to add auth-access = write underneath the anon-access = none to see if it works.

quanta
  • 51,413
  • 19
  • 159
  • 217
  • Ya, I have tried this, but it sadly does not work. I originally did not include the auth-access above because "write" is the default value and therefore does not need to be included ... if that is the desired value. Thanks for the idea, though. – scicalculator Aug 25 '11 at 15:39
0

This couls be bug 3242 - clients make an OPTIONS request at the root of the repository which gets a 403. Is your access denied to /svnroot/ or /svnroot/project1/? (Check the apache logs if it's not in the message.)

Solutions?

  1. Try upgrading all your subversion clients to 1.6.13 or later - according to the issue ticket that's when this was fixed
  2. Patch your subversion server to permit OPTIONS at the repository root for all users. Here's my old patch to do this which permits the OPTIONS only and doesn't leak information about other project directories (I don't think). I didn't get accepted to subversion - I wasn't seriously proposing it, though - but we've run it on our SVN server for several years now.

If that's not it, please let us know which client and server versions you're running. Thanks!

Rup
  • 255
  • 5
  • 15
  • Sorry to be so slow in responding to you. Unfortunately, the bug report is not for a related issue compared to what I am experiencing. In fact, I even opened a dummy-repo on a local computer of mine with the latest verson of SVN and had the same failure. However, that leads me to believe that SVN does not actually transmit my username or password over the ssh connection. Do you know of any way to setup svn to transmit this info or setup a keygen-authorization that provides the server with the appropriate login info? Thanks for your ideas so far, and if you have any others, I'd appreciate it. – scicalculator Sep 04 '11 at 15:17